CVE-2025-11785

Stack-based buffer overflow vulnerability in Circutor SGE-PLC1000/SGE-PLC50 v9.0.2. In the 'ShowMeterPasswords()' function, there is an unlimited user input that is copied to a fixed-size buffer via 'sprintf()'. The 'GetParameter(meter)' function retrieves the user input, which is directly incorporated into a buffer without size validation. An attacker can provide an excessively large input for the 'meter' parameter.

CVSS v3 9.8 CRITICAL

9.8^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://www.incibe.es/en/incibe-cert/notices/aviso-sci/multiple-vulnerabilities-circutor-products-0	Third Party Advisory

Configurations

Configuration 1 (hide)

AND

cpe:2.3:o:circutor:sge-plc1000_firmware:9.0.2:*:*:*:*:*:*:*

cpe:2.3:h:circutor:sge-plc1000:-:*:*:*:*:*:*:*

Configuration 2 (hide)

AND

cpe:2.3:o:circutor:sge-plc50_firmware:9.0.2:*:*:*:*:*:*:*

cpe:2.3:h:circutor:sge-plc50:-:*:*:*:*:*:*:*

History

No history.

Information

Published : 2025-12-02 13:15

Updated : 2025-12-03 19:13

NVD link : CVE-2025-11785

Mitre link : CVE-2025-11785

CVE.ORG link : CVE-2025-11785

JSON object : View

Products Affected

circutor

sge-plc1000_firmware
sge-plc50_firmware
sge-plc50
sge-plc1000

CWE

CWE-121

Stack-based Buffer Overflow

{"id": "CVE-2025-11785", "cveTags": [{"tags": ["unsupported-when-assigned"], "sourceIdentifier": "cve-coordination@incibe.es"}], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}], "cvssMetricV40": [{"type": "Secondary", "source": "cve-coordination@incibe.es", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 8.5, "Automatable": "NOT_DEFINED", "attackVector": "ADJACENT", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:H/SC:H/SI:L/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "LOW", "vulnIntegrityImpact": "LOW", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2025-12-02T13:15:50.223", "references": [{"url": "https://www.incibe.es/en/incibe-cert/notices/aviso-sci/multiple-vulnerabilities-circutor-products-0", "tags": ["Third Party Advisory"], "source": "cve-coordination@incibe.es"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "cve-coordination@incibe.es", "description": [{"lang": "en", "value": "CWE-121"}]}], "descriptions": [{"lang": "en", "value": "Stack-based buffer overflow vulnerability in Circutor SGE-PLC1000/SGE-PLC50 v9.0.2. In the 'ShowMeterPasswords()' function, there is an unlimited user input that is copied to a fixed-size buffer via 'sprintf()'. The 'GetParameter(meter)' function retrieves the user input, which is directly incorporated into a buffer without size validation. An attacker can provide an excessively large input for the 'meter' parameter."}, {"lang": "es", "value": "Vulnerabilidad de desbordamiento de b\u00fafer basado en pila en Circutor SGE-PLC1000/SGE-PLC50 v9.0.2. En la funci\u00f3n 'ShowMeterPasswords()', existe una entrada de usuario ilimitada que se copia a un b\u00fafer de tama\u00f1o fijo a trav\u00e9s de 'sprintf()'. La funci\u00f3n 'GetParameter(meter)' recupera la entrada del usuario, la cual se incorpora directamente en un b\u00fafer sin validaci\u00f3n de tama\u00f1o. Un atacante puede proporcionar una entrada excesivamente grande para el par\u00e1metro 'meter'."}], "lastModified": "2025-12-03T19:13:22.060", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:circutor:sge-plc1000_firmware:9.0.2:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "3FC715A9-6F95-4795-B3B1-1BFAF88ACCE9"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:circutor:sge-plc1000:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "FFF41215-1018-42DD-9A7E-BBC2E5B4522D"}], "operator": "OR"}], "operator": "AND"}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:circutor:sge-plc50_firmware:9.0.2:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "203C8B5E-582A-4680-B324-B9092F01462B"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:circutor:sge-plc50:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "447D1571-5329-422D-8E31-F4964E412FC3"}], "operator": "OR"}], "operator": "AND"}], "sourceIdentifier": "cve-coordination@incibe.es"}